diff options
author | DUVAL Thomas <thomas.duval@orange.com> | 2016-06-16 14:50:31 +0200 |
---|---|---|
committer | DUVAL Thomas <thomas.duval@orange.com> | 2016-06-16 14:50:31 +0200 |
commit | adf7e6616c2a8d6f60207059288423f693509928 (patch) | |
tree | b79848d3b61f28e975f4730de541532c5089c6ed /odl-aaa-moon/aaa/aaa-authz | |
parent | 506a1fc1252268fa31ba89882ea55b7665579965 (diff) |
Add new version of aaa
Change-Id: I94d72011e6019e66c98f46d11436a5cb33ff295d
Diffstat (limited to 'odl-aaa-moon/aaa/aaa-authz')
20 files changed, 1703 insertions, 0 deletions
diff --git a/odl-aaa-moon/aaa/aaa-authz/aaa-authz-config/pom.xml b/odl-aaa-moon/aaa/aaa-authz/aaa-authz-config/pom.xml new file mode 100644 index 00000000..42237e41 --- /dev/null +++ b/odl-aaa-moon/aaa/aaa-authz/aaa-authz-config/pom.xml @@ -0,0 +1,43 @@ +<?xml version="1.0" encoding="UTF-8"?> +<project xmlns="http://maven.apache.org/POM/4.0.0" + xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" + xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd"> + <modelVersion>4.0.0</modelVersion> + <parent> + <groupId>org.opendaylight.aaa</groupId> + <artifactId>aaa-parent</artifactId> + <version>0.3.2-Beryllium-SR2</version> + <relativePath>../../parent</relativePath> + </parent> + + <artifactId>authz-service-config</artifactId> + <description>AuthZ Service Configuration files </description> + <packaging>jar</packaging> + <build> + <plugins> + <plugin> + <groupId>org.codehaus.mojo</groupId> + <artifactId>build-helper-maven-plugin</artifactId> + <executions> + <execution> + <id>attach-artifacts</id> + <goals> + <goal>attach-artifact</goal> + </goals> + <phase>package</phase> + <configuration> + <artifacts> + <artifact> + <file>${project.build.directory}/classes/initial/${config.authz.service.configfile}</file> + <type>xml</type> + <classifier>config</classifier> + </artifact> + </artifacts> + </configuration> + </execution> + </executions> + </plugin> + </plugins> + </build> + +</project> diff --git a/odl-aaa-moon/aaa/aaa-authz/aaa-authz-config/src/main/resources/initial/08-authz-config.xml b/odl-aaa-moon/aaa/aaa-authz/aaa-authz-config/src/main/resources/initial/08-authz-config.xml new file mode 100644 index 00000000..5b59ca20 --- /dev/null +++ b/odl-aaa-moon/aaa/aaa-authz/aaa-authz-config/src/main/resources/initial/08-authz-config.xml @@ -0,0 +1,60 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!-- vi: set et smarttab sw=4 tabstop=4: --> +<!-- + Copyright (c) 2013 Cisco Systems, Inc. and others. All rights reserved. + + This program and the accompanying materials are made available under the + terms of the Eclipse Public License v1.0 which accompanies this distribution, + and is available at http://www.eclipse.org/legal/epl-v10.html +--> +<snapshot> + <configuration> + <data xmlns="urn:ietf:params:xml:ns:netconf:base:1.0"> + <modules xmlns="urn:opendaylight:params:xml:ns:yang:controller:config"> + + <!-- defines an implementation module --> + <module> + <type xmlns:authz="urn:opendaylight:params:xml:ns:yang:controller:config:aaa-authz:srv">authz:aaa-authz-service</type> + <name>aaa-authz-service</name> + + <dom-broker> + <type xmlns:dom="urn:opendaylight:params:xml:ns:yang:controller:md:sal:dom">dom:dom-broker-osgi-registry</type> + <name>dom-broker</name> + </dom-broker> + + <data-broker> + <type xmlns:binding="urn:opendaylight:params:xml:ns:yang:controller:md:sal:binding">binding:binding-data-broker</type> + <name>binding-data-broker</name> + </data-broker> + + <policies xmlns="urn:opendaylight:params:xml:ns:yang:controller:config:aaa-authz:srv"> + <service xmlns="urn:opendaylight:params:xml:ns:yang:controller:config:aaa-authz:srv">RestConfService</service> + <action xmlns="urn:opendaylight:params:xml:ns:yang:controller:config:aaa-authz:srv">Any</action> + <resource xmlns="urn:opendaylight:params:xml:ns:yang:controller:config:aaa-authz:srv">*</resource> + <role xmlns="urn:opendaylight:params:xml:ns:yang:controller:config:aaa-authz:srv">admin</role> + </policies> + + </module> + </modules> + + <services xmlns="urn:opendaylight:params:xml:ns:yang:controller:config"> + <service> + <type xmlns:dom="urn:opendaylight:params:xml:ns:yang:controller:md:sal:dom">dom:dom-broker-osgi-registry</type> + <instance> + <name>authz-connector-default</name> + <provider> + /modules/module[type='aaa-authz-service'][name='aaa-authz-service'] + </provider> + </instance> + </service> + </services> + + </data> + + + </configuration> + <required-capabilities> + <capability>urn:opendaylight:params:xml:ns:yang:controller:config:aaa-authz:srv?module=aaa-authz-service-impl&revision=2014-07-01</capability> + </required-capabilities> + +</snapshot> diff --git a/odl-aaa-moon/aaa/aaa-authz/aaa-authz-model/pom.xml b/odl-aaa-moon/aaa/aaa-authz/aaa-authz-model/pom.xml new file mode 100644 index 00000000..ee6108bd --- /dev/null +++ b/odl-aaa-moon/aaa/aaa-authz/aaa-authz-model/pom.xml @@ -0,0 +1,95 @@ +<?xml version="1.0" encoding="UTF-8"?> +<project xmlns="http://maven.apache.org/POM/4.0.0" + xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" + xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd"> + <modelVersion>4.0.0</modelVersion> + + <parent> + <groupId>org.opendaylight.aaa</groupId> + <artifactId>aaa-parent</artifactId> + <version>0.3.2-Beryllium-SR2</version> + <relativePath>../../parent</relativePath> + </parent> + + <artifactId>aaa-authz-model</artifactId> + <name>${project.artifactId}</name> + + <dependencies> + <dependency> + <groupId>org.opendaylight.mdsal</groupId> + <artifactId>yang-binding</artifactId> + </dependency> + <dependency> + <groupId>org.opendaylight.mdsal.model</groupId> + <artifactId>ietf-inet-types</artifactId> + </dependency> + <dependency> + <groupId>org.opendaylight.mdsal.model</groupId> + <artifactId>ietf-yang-types</artifactId> + </dependency> + <dependency> + <groupId>org.opendaylight.mdsal.model</groupId> + <artifactId>yang-ext</artifactId> + </dependency> + </dependencies> + + <build> + <plugins> + <plugin> + <groupId>org.apache.felix</groupId> + <artifactId>maven-bundle-plugin</artifactId> + <extensions>true</extensions> + </plugin> + <plugin> + <groupId>org.apache.maven.plugins</groupId> + <artifactId>maven-javadoc-plugin</artifactId> + <configuration> + <stylesheet>maven</stylesheet> + </configuration> + <executions> + <execution> + <goals> + <goal>aggregate</goal> + </goals> + <phase>site</phase> + </execution> + </executions> + </plugin> + <plugin> + <groupId>org.opendaylight.yangtools</groupId> + <artifactId>yang-maven-plugin</artifactId> + <version>${yangtools.version}</version> + <executions> + <execution> + <goals> + <goal>generate-sources</goal> + </goals> + <configuration> + <yangFilesRootDir>src/main/yang</yangFilesRootDir> + <codeGenerators> + <generator> + <codeGeneratorClass> + org.opendaylight.yangtools.maven.sal.api.gen.plugin.CodeGeneratorImpl + </codeGeneratorClass> + <outputBaseDir>${salGeneratorPath}</outputBaseDir> + </generator> + </codeGenerators> + <inspectDependencies>true</inspectDependencies> + </configuration> + </execution> + </executions> + + <dependencies> + <dependency> + <groupId>org.opendaylight.mdsal</groupId> + <artifactId>maven-sal-api-gen-plugin</artifactId> + <version>${yangtools.version}</version> + <type>jar</type> + </dependency> + </dependencies> + </plugin> + </plugins> + </build> + <packaging>bundle</packaging> + +</project> diff --git a/odl-aaa-moon/aaa/aaa-authz/aaa-authz-model/src/main/yang/authorization-schema.yang b/odl-aaa-moon/aaa/aaa-authz/aaa-authz-model/src/main/yang/authorization-schema.yang new file mode 100644 index 00000000..2e0cf9cb --- /dev/null +++ b/odl-aaa-moon/aaa/aaa-authz/aaa-authz-model/src/main/yang/authorization-schema.yang @@ -0,0 +1,190 @@ +module authorization-schema { + yang-version 1; + namespace "urn:aaa:yang:authz:ds"; + prefix "authz"; + organization "TBD"; + + contact "wdec@cisco.com"; + + revision 2014-07-22 { + description + "Initial revision."; + } + + //Main module begins + + //TODO: Refactor service type as URI + + //Define the servicetype; Service is used to identify the requestors' name, which would correspond to an ODL component eg Restconf. Possibly + //the naming will derive from the OSGi bundle name of the AuthZ requesting party. + + typedef service-type { + type string; + } + + //Resource denotes the actual resource that is the subject of the AuthZ request. + + typedef resource-type { + type string; + default "*"; + + //Examples of resources: + //Data : /operational/opendaylight-inventory:nodes/node/openflow:1/node-connector/openflow:1:1 + //Wildcarded data: /operational/opendaylight-inventory:nodes/node/*/node-connector/* + //RPC: /operations/example-ops:reboot + //Wildcarded RPC: /operations/example-ops:* + //Notification: /notifications/example-ops:startup + } + + //Role denotes the normalized role that is attributed to the AuthZ requestor, eg "admin" + + typedef role-type { + type string; + } + + //Domain denotes the customer domain that is the attributed of the AuthZ requestor, eg cisco.com + + typedef domain-type { + type string; + } + + //Action denotes the requested AuthZ action on the resource + //TODO: Refactor as identities to allow for augmentation. + + typedef action-type { + type enumeration { + enum put; + enum commit; + enum exists; + enum getIdentifier; + enum read; + enum cancel; + enum submit; + enum delete; + enum merge; + enum any; + } + default "any"; + } + + typedef authorization-response-type { + type enumeration { + enum not-authorized { value 0; } + enum authorized { value 1; } + } + } + + typedef authorization-duration-type { + type uint32; + } + + // Following grouping is the core AuthZ policy permissions data-structure, dual keyed by service and action. + // Permissions will be set-up per application. NOTE: Group and role can be equivalent. do we need both? + + grouping authorization-grp { + list policies { + key "service"; + leaf service { + type service-type; + } + leaf action { + type action-type; + } + leaf resource { + type resource-type; + mandatory true; + } + leaf role { + type role-type; + mandatory true; + } + leaf authorization { + type authorization-response-type; + } + } + } + + // Following container provides the simple, non-domain specific AuthZ policy data-structure, dual keyed by service and action. + + container simple-authorization { + uses authorization-grp; + } + + // Following container provides the domain AuthZ policy data-structure. Each Policy is extended with a authz-domain-chain, + // which contains a prioritized list of the leafrefs to additional domain policies that also apply to this domain. + // The construct allows the chaining of policies like foo.com -> customer.sp.com -> customer.carrier.com. + + + container domain-authorization { + list domains { + key "domain-name"; + leaf domain-name { + type domain-type; + } + uses authorization-grp; + list authz-domain-chain { + key "priority"; + leaf priority { + type uint32; + } + leaf domain-name { + type leafref { + path "/additional-domain-authz/domains/domain-name"; + } + } + } + } +} + +container additional-domain-authz { + list domains { + key "domain-name"; + leaf domain-name { + type domain-type; + } + uses authorization-grp; + } + } + + + + /* The following is the AuthZ RPC definition */ + + rpc req-authorization { + description + "Check Authorization for a given combination of action and role. + A not-authorized will be returned if unsuccessful."; + + input { + leaf domain-name { + type domain-type; + } + leaf service { + type service-type; + } + leaf action { + type action-type; + mandatory true; + } + + leaf resource { + type resource-type; + mandatory true; + } + leaf role { + type role-type; + mandatory true; + } + + } + + output { + + leaf authorization-response { + type authorization-response-type; + mandatory true; + } + + } + } +} diff --git a/odl-aaa-moon/aaa/aaa-authz/aaa-authz-restconf-config/pom.xml b/odl-aaa-moon/aaa/aaa-authz/aaa-authz-restconf-config/pom.xml new file mode 100644 index 00000000..6104be4b --- /dev/null +++ b/odl-aaa-moon/aaa/aaa-authz/aaa-authz-restconf-config/pom.xml @@ -0,0 +1,43 @@ +<?xml version="1.0" encoding="UTF-8"?> +<project xmlns="http://maven.apache.org/POM/4.0.0" + xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" + xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd"> + <modelVersion>4.0.0</modelVersion> + <parent> + <groupId>org.opendaylight.aaa</groupId> + <artifactId>aaa-parent</artifactId> + <version>0.3.2-Beryllium-SR2</version> + <relativePath>../../parent</relativePath> + </parent> + + <artifactId>authz-restconf-config</artifactId> + + <description>AuthZ Restconf Connector Configuration file </description> + <packaging>jar</packaging> + <build> + <plugins> + <plugin> + <groupId>org.codehaus.mojo</groupId> + <artifactId>build-helper-maven-plugin</artifactId> + <executions> + <execution> + <id>attach-artifacts</id> + <goals> + <goal>attach-artifact</goal> + </goals> + <phase>package</phase> + <configuration> + <artifacts> + <artifact> + <file>${project.build.directory}/classes/initial/${config.restconf.configfile}</file> + <type>xml</type> + <classifier>config</classifier> + </artifact> + </artifacts> + </configuration> + </execution> + </executions> + </plugin> + </plugins> + </build> +</project> diff --git a/odl-aaa-moon/aaa/aaa-authz/aaa-authz-restconf-config/src/main/resources/initial/09-rest-connector.xml b/odl-aaa-moon/aaa/aaa-authz/aaa-authz-restconf-config/src/main/resources/initial/09-rest-connector.xml new file mode 100644 index 00000000..deba6558 --- /dev/null +++ b/odl-aaa-moon/aaa/aaa-authz/aaa-authz-restconf-config/src/main/resources/initial/09-rest-connector.xml @@ -0,0 +1,42 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!-- +Copyright (c) 2014 Cisco Systems, Inc. and others. All rights reserved. + +This program and the accompanying materials are made available under the +terms of the Eclipse Public License v1.0 which accompanies this distribution, +and is available at http://www.eclipse.org/legal/epl-v10.html +--> +<snapshot> + <configuration> + <data xmlns="urn:ietf:params:xml:ns:netconf:base:1.0"> + <modules xmlns="urn:opendaylight:params:xml:ns:yang:controller:config"> + + <module> + <type xmlns:rest="urn:opendaylight:params:xml:ns:yang:controller:md:sal:rest:connector">rest:rest-connector-impl</type> + <name>rest-connector-default-impl</name> + <websocket-port>8185</websocket-port> + <dom-broker> + <type xmlns:dom="urn:opendaylight:params:xml:ns:yang:controller:md:sal:dom">dom:dom-broker-osgi-registry</type> + <name>authz-connector-default</name> + </dom-broker> + </module> + </modules> + + <services xmlns="urn:opendaylight:params:xml:ns:yang:controller:config"> + <service> + <type xmlns:rest="urn:opendaylight:params:xml:ns:yang:controller:md:sal:rest:connector">rest:rest-connector</type> + <instance> + <name>rest-connector-default</name> + <provider> + /modules/module[type='rest-connector-impl'][name='rest-connector-default-impl'] + </provider> + </instance> + </service> + </services> + + </data> + </configuration> + <required-capabilities> + <capability>urn:opendaylight:params:xml:ns:yang:controller:md:sal:rest:connector?module=opendaylight-rest-connector&revision=2014-07-24</capability> + </required-capabilities> +</snapshot> diff --git a/odl-aaa-moon/aaa/aaa-authz/aaa-authz-service/pom.xml b/odl-aaa-moon/aaa/aaa-authz/aaa-authz-service/pom.xml new file mode 100644 index 00000000..2c150ce7 --- /dev/null +++ b/odl-aaa-moon/aaa/aaa-authz/aaa-authz-service/pom.xml @@ -0,0 +1,152 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!-- ~ Copyright (c) 2014 Cisco Systems, Inc. and others. All rights reserved. + ~ ~ This program and the accompanying materials are made available under + the ~ terms of the Eclipse Public License v1.0 which accompanies this distribution, + ~ and is available at http://www.eclipse.org/legal/epl-v10.html --> + +<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" + xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd"> + <parent> + <groupId>org.opendaylight.aaa</groupId> + <artifactId>aaa-parent</artifactId> + <version>0.3.2-Beryllium-SR2</version> + <relativePath>../../parent</relativePath> + </parent> + <modelVersion>4.0.0</modelVersion> + + <artifactId>aaa-authz-service</artifactId> + <packaging>bundle</packaging> + + <dependencies> + <dependency> + <groupId>org.opendaylight.controller</groupId> + <artifactId>sal-binding-util</artifactId> + </dependency> + <dependency> + <groupId>org.opendaylight.controller</groupId> + <artifactId>sal-common-util</artifactId> + </dependency> + <dependency> + <groupId>org.opendaylight.yangtools</groupId> + <artifactId>yang-data-api</artifactId> + </dependency> + <dependency> + <groupId>commons-codec</groupId> + <artifactId>commons-codec</artifactId> + </dependency> + <dependency> + <groupId>org.opendaylight.controller</groupId> + <artifactId>sal-binding-api</artifactId> + </dependency> + <dependency> + <groupId>org.opendaylight.controller</groupId> + <artifactId>config-api</artifactId> + </dependency> + <dependency> + <groupId>org.opendaylight.controller</groupId> + <artifactId>sal-binding-config</artifactId> + </dependency> + <dependency> + <groupId>org.opendaylight.aaa</groupId> + <artifactId>aaa-authz-model</artifactId> + </dependency> + <dependency> + <groupId>org.opendaylight.aaa</groupId> + <artifactId>aaa-authn-api</artifactId> + </dependency> + <dependency> + <groupId>org.opendaylight.controller</groupId> + <artifactId>sal-core-api</artifactId> + </dependency> + <dependency> + <groupId>org.opendaylight.controller</groupId> + <artifactId>sal-core-spi</artifactId> + </dependency> + <dependency> + <groupId>org.jboss.resteasy</groupId> + <artifactId>jaxrs-api</artifactId> + <scope>provided</scope> + </dependency> + + <!-- Test dependencies --> + <dependency> + <groupId>junit</groupId> + <artifactId>junit</artifactId> + <scope>test</scope> + </dependency> + <dependency> + <groupId>org.mockito</groupId> + <artifactId>mockito-all</artifactId> + <scope>test</scope> + </dependency> + <dependency> + <groupId>org.slf4j</groupId> + <artifactId>slf4j-simple</artifactId> + <scope>test</scope> + </dependency> + + </dependencies> + + <build> + <plugins> + <plugin> + <groupId>org.apache.felix</groupId> + <artifactId>maven-bundle-plugin</artifactId> + <extensions>true</extensions> + <configuration> + <instructions> + <!-- <Bundle-Activator>org.opendaylight.aaa.authz.srv.AuthzProvider</Bundle-Activator> --> + <Export-Package>org.opendaylight.aaa.config.yang.aaa_srv,</Export-Package> + </instructions> + </configuration> + <!-- <configuration> <Export-Package> </Export-Package> </configuration> --> + </plugin> + <plugin> + <groupId>org.opendaylight.yangtools</groupId> + <artifactId>yang-maven-plugin</artifactId> + <version>${yangtools.version}</version> + <executions> + <execution> + <id>config</id> + <goals> + <goal>generate-sources</goal> + </goals> + <configuration> + <codeGenerators> + <generator> + <codeGeneratorClass> + org.opendaylight.controller.config.yangjmxgenerator.plugin.JMXGenerator + </codeGeneratorClass> + <outputBaseDir>${jmxGeneratorPath}</outputBaseDir> + <additionalConfiguration> + <namespaceToPackage1> + urn:opendaylight:params:xml:ns:yang:controller==org.opendaylight.controller.config.yang + </namespaceToPackage1> + </additionalConfiguration> + </generator> + <generator> + <codeGeneratorClass>org.opendaylight.yangtools.maven.sal.api.gen.plugin.CodeGeneratorImpl</codeGeneratorClass> + <outputBaseDir>${salGeneratorPath}</outputBaseDir> + </generator> + </codeGenerators> + <inspectDependencies>true</inspectDependencies> + </configuration> + </execution> + </executions> + <dependencies> + <dependency> + <groupId>org.opendaylight.controller</groupId> + <artifactId>yang-jmx-generator-plugin</artifactId> + <version>${config.version}</version> + </dependency> + <dependency> + <groupId>org.opendaylight.mdsal</groupId> + <artifactId>maven-sal-api-gen-plugin</artifactId> + <version>${yangtools.version}</version> + </dependency> + </dependencies> + </plugin> + </plugins> + </build> + +</project> diff --git a/odl-aaa-moon/aaa/aaa-authz/aaa-authz-service/src/main/java/org/opendaylight/aaa/authz/srv/AuthzBrokerImpl.java b/odl-aaa-moon/aaa/aaa-authz/aaa-authz-service/src/main/java/org/opendaylight/aaa/authz/srv/AuthzBrokerImpl.java new file mode 100644 index 00000000..d4ac79af --- /dev/null +++ b/odl-aaa-moon/aaa/aaa-authz/aaa-authz-service/src/main/java/org/opendaylight/aaa/authz/srv/AuthzBrokerImpl.java @@ -0,0 +1,150 @@ +/* + * Copyright (c) 2014 Cisco Systems, Inc. and others. All rights reserved. + * + * This program and the accompanying materials are made available under the + * terms of the Eclipse Public License v1.0 which accompanies this distribution, + * and is available at http://www.eclipse.org/legal/epl-v10.html + */ + +package org.opendaylight.aaa.authz.srv; + +import java.util.Collection; + +import org.opendaylight.aaa.api.AuthenticationService; +import org.opendaylight.controller.md.sal.dom.api.DOMDataBroker; +import org.opendaylight.controller.sal.core.api.Broker; +import org.opendaylight.controller.sal.core.api.Consumer; +import org.opendaylight.controller.sal.core.api.Provider; +import org.osgi.framework.BundleContext; + +/** + * Created by wdec on 26/08/2014. + */ +public class AuthzBrokerImpl implements Broker, AutoCloseable, Provider { + + private Broker broker; + private ProviderSession providerSession; + private AuthenticationService authenticationService; + + public void setBroker(Broker broker) { + this.broker = broker; + } + + @Override + public void close() throws Exception { + + } + + // Implements AuthzBroker handling of registering consumers or providers. + @Override + public ConsumerSession registerConsumer(Consumer consumer) { + + ConsumerSession realSession = broker.registerConsumer(new ConsumerWrapper(consumer)); + AuthzConsumerContextImpl authzConsumerContext = new AuthzConsumerContextImpl(realSession, + this); + consumer.onSessionInitiated(authzConsumerContext); + return authzConsumerContext; + } + + @Override + public ConsumerSession registerConsumer(Consumer consumer, BundleContext bundleContext) { + + ConsumerSession realSession = broker.registerConsumer(new ConsumerWrapper(consumer), + bundleContext); + AuthzConsumerContextImpl authzConsumerContext = new AuthzConsumerContextImpl(realSession, + this); + consumer.onSessionInitiated(authzConsumerContext); + return authzConsumerContext; + } + + @Override + public ProviderSession registerProvider(Provider provider) { + + ProviderSession realSession = broker.registerProvider(new ProviderWrapper(provider)); + AuthzProviderContextImpl authzProviderContext = new AuthzProviderContextImpl(realSession, + this); + provider.onSessionInitiated(authzProviderContext); + return authzProviderContext; + } + + @Override + public ProviderSession registerProvider(Provider provider, BundleContext bundleContext) { + + // Allow the real broker to do its thing, while providing a wrapped + // callback + ProviderSession realSession = broker.registerProvider(new ProviderWrapper(provider), + bundleContext); + + // Create Authz ProviderContext + AuthzProviderContextImpl authzProviderContext = new AuthzProviderContextImpl(realSession, + this); + + // Run onsessionInitiated on injected provider with the AuthZ provider + // context. + provider.onSessionInitiated(authzProviderContext); + return authzProviderContext; + + } + + // Handle the AuthZBroker registration with the real broker + @Override + public void onSessionInitiated(ProviderSession providerSession) { + + // Get now the real DOMDataBroker and register it with the + // AuthzDOMBroker together with the provider session + final DOMDataBroker domDataBroker = providerSession.getService(DOMDataBroker.class); + AuthzDomDataBroker.getInstance().setProviderSession(providerSession); + AuthzDomDataBroker.getInstance().setDomDataBroker(domDataBroker); + AuthzDomDataBroker.getInstance().setAuthService(this.authenticationService); + } + + @Override + public Collection<ProviderFunctionality> getProviderFunctionality() { + return null; + } + + public void setAuthenticationService(AuthenticationService authenticationService) { + this.authenticationService = authenticationService; + } + + // Wrapper for Provider + + public static class ProviderWrapper implements Provider { + private final Provider provider; + + public ProviderWrapper(Provider provider) { + this.provider = provider; + } + + @Override + public void onSessionInitiated(ProviderSession providerSession) { + // Do a Noop when the real broker calls back + } + + @Override + public Collection<ProviderFunctionality> getProviderFunctionality() { + // Allow the RestconfImpl to respond to this + return provider.getProviderFunctionality(); + } + } + + // Wrapper for Consumer + public static class ConsumerWrapper implements Consumer { + + private final Consumer consumer; + + public ConsumerWrapper(Consumer consumer) { + this.consumer = consumer; + } + + @Override + public void onSessionInitiated(ConsumerSession consumerSession) { + // Do a Noop when the real broker calls back + } + + @Override + public Collection<ConsumerFunctionality> getConsumerFunctionality() { + return consumer.getConsumerFunctionality(); + } + } +} diff --git a/odl-aaa-moon/aaa/aaa-authz/aaa-authz-service/src/main/java/org/opendaylight/aaa/authz/srv/AuthzConsumerContextImpl.java b/odl-aaa-moon/aaa/aaa-authz/aaa-authz-service/src/main/java/org/opendaylight/aaa/authz/srv/AuthzConsumerContextImpl.java new file mode 100644 index 00000000..07ba51cd --- /dev/null +++ b/odl-aaa-moon/aaa/aaa-authz/aaa-authz-service/src/main/java/org/opendaylight/aaa/authz/srv/AuthzConsumerContextImpl.java @@ -0,0 +1,46 @@ +/* + * Copyright (c) 2014 Cisco Systems, Inc. and others. All rights reserved. + * + * This program and the accompanying materials are made available under the + * terms of the Eclipse Public License v1.0 which accompanies this distribution, + * and is available at http://www.eclipse.org/legal/epl-v10.html + */ + +package org.opendaylight.aaa.authz.srv; + +import org.opendaylight.controller.md.sal.dom.api.DOMDataBroker; +import org.opendaylight.controller.sal.core.api.Broker; +import org.opendaylight.controller.sal.core.api.Broker.ConsumerSession; +import org.opendaylight.controller.sal.core.api.BrokerService; +import org.opendaylight.controller.sal.core.spi.ForwardingConsumerSession; + +/** + * Created by wdec on 28/08/2014. + */ +public class AuthzConsumerContextImpl extends ForwardingConsumerSession { + + private final Broker.ConsumerSession realSession; + + public AuthzConsumerContextImpl(Broker.ConsumerSession realSession, AuthzBrokerImpl authzBroker) { + this.realSession = realSession; + } + + @Override + protected ConsumerSession delegate() { + return realSession; + } + + @Override + public <T extends BrokerService> T getService(Class<T> tClass) { + T t; + // Check for class and return Authz broker only for DOMBroker + if (tClass == DOMDataBroker.class) { + t = (T) AuthzDomDataBroker.getInstance(); + } else { + t = realSession.getService(tClass); + } + // AuthzDomDataBroker.getInstance().setDomDataBroker((DOMDataBroker)t); + return t; + } + +} diff --git a/odl-aaa-moon/aaa/aaa-authz/aaa-authz-service/src/main/java/org/opendaylight/aaa/authz/srv/AuthzDataReadWriteTransaction.java b/odl-aaa-moon/aaa/aaa-authz/aaa-authz-service/src/main/java/org/opendaylight/aaa/authz/srv/AuthzDataReadWriteTransaction.java new file mode 100644 index 00000000..4cc232bc --- /dev/null +++ b/odl-aaa-moon/aaa/aaa-authz/aaa-authz-service/src/main/java/org/opendaylight/aaa/authz/srv/AuthzDataReadWriteTransaction.java @@ -0,0 +1,129 @@ +/* + * Copyright (c) 2014 Cisco Systems, Inc. and others. All rights reserved. + * + * This program and the accompanying materials are made available under the + * terms of the Eclipse Public License v1.0 which accompanies this distribution, + * and is available at http://www.eclipse.org/legal/epl-v10.html + */ + +package org.opendaylight.aaa.authz.srv; + +import com.google.common.base.Optional; +import com.google.common.util.concurrent.CheckedFuture; +import com.google.common.util.concurrent.Futures; +import com.google.common.util.concurrent.ListenableFuture; + +import org.opendaylight.controller.md.sal.common.api.TransactionStatus; +import org.opendaylight.controller.md.sal.common.api.data.LogicalDatastoreType; +import org.opendaylight.controller.md.sal.common.api.data.ReadFailedException; +import org.opendaylight.controller.md.sal.common.api.data.TransactionCommitFailedException; +import org.opendaylight.controller.md.sal.dom.api.DOMDataReadWriteTransaction; +import org.opendaylight.yang.gen.v1.urn.aaa.yang.authz.ds.rev140722.ActionType; +import org.opendaylight.yangtools.yang.common.RpcResult; +import org.opendaylight.yangtools.yang.data.api.YangInstanceIdentifier; +import org.opendaylight.yangtools.yang.data.api.schema.NormalizedNode; + +/** + * Created by wdec on 26/08/2014. + */ +public class AuthzDataReadWriteTransaction implements DOMDataReadWriteTransaction { + + private final DOMDataReadWriteTransaction domDataReadWriteTransaction; + + public AuthzDataReadWriteTransaction(DOMDataReadWriteTransaction domDataReadWriteTransaction) { + this.domDataReadWriteTransaction = domDataReadWriteTransaction; + } + + @Override + public boolean cancel() { + if (AuthzServiceImpl.isAuthorized(ActionType.Cancel)) { + return domDataReadWriteTransaction.cancel(); + } + return false; + } + + @Override + public void delete(LogicalDatastoreType logicalDatastoreType, + YangInstanceIdentifier yangInstanceIdentifier) { + + if (AuthzServiceImpl.isAuthorized(logicalDatastoreType, yangInstanceIdentifier, + ActionType.Delete)) { + domDataReadWriteTransaction.delete(logicalDatastoreType, yangInstanceIdentifier); + } + } + + @Override + public CheckedFuture<Void, TransactionCommitFailedException> submit() { + if (AuthzServiceImpl.isAuthorized(ActionType.Submit)) { + return domDataReadWriteTransaction.submit(); + } + TransactionCommitFailedException e = new TransactionCommitFailedException( + "Unauthorized User"); + return Futures.immediateFailedCheckedFuture(e); + } + + @Deprecated + @Override + public ListenableFuture<RpcResult<TransactionStatus>> commit() { + if (AuthzServiceImpl.isAuthorized(ActionType.Commit)) { + return domDataReadWriteTransaction.commit(); + } + TransactionCommitFailedException e = new TransactionCommitFailedException( + "Unauthorized User"); + return Futures.immediateFailedCheckedFuture(e); + } + + @Override + public CheckedFuture<Optional<NormalizedNode<?, ?>>, ReadFailedException> read( + LogicalDatastoreType logicalDatastoreType, YangInstanceIdentifier yangInstanceIdentifier) { + + if (AuthzServiceImpl.isAuthorized(logicalDatastoreType, yangInstanceIdentifier, + ActionType.Read)) { + return domDataReadWriteTransaction.read(logicalDatastoreType, yangInstanceIdentifier); + } + ReadFailedException e = new ReadFailedException("Authorization Failed"); + return Futures.immediateFailedCheckedFuture(e); + } + + @Override + public CheckedFuture<Boolean, ReadFailedException> exists( + LogicalDatastoreType logicalDatastoreType, YangInstanceIdentifier yangInstanceIdentifier) { + + if (AuthzServiceImpl.isAuthorized(logicalDatastoreType, yangInstanceIdentifier, + ActionType.Exists)) { + return domDataReadWriteTransaction.exists(logicalDatastoreType, yangInstanceIdentifier); + } + ReadFailedException e = new ReadFailedException("Authorization Failed"); + return Futures.immediateFailedCheckedFuture(e); + } + + @Override + public void put(LogicalDatastoreType logicalDatastoreType, + YangInstanceIdentifier yangInstanceIdentifier, NormalizedNode<?, ?> normalizedNode) { + + if (AuthzServiceImpl.isAuthorized(logicalDatastoreType, yangInstanceIdentifier, + ActionType.Put)) { + domDataReadWriteTransaction.put(logicalDatastoreType, yangInstanceIdentifier, + normalizedNode); + } + } + + @Override + public void merge(LogicalDatastoreType logicalDatastoreType, + YangInstanceIdentifier yangInstanceIdentifier, NormalizedNode<?, ?> normalizedNode) { + + if (AuthzServiceImpl.isAuthorized(logicalDatastoreType, yangInstanceIdentifier, + ActionType.Merge)) { + domDataReadWriteTransaction.merge(logicalDatastoreType, yangInstanceIdentifier, + normalizedNode); + } + } + + @Override + public Object getIdentifier() { + if (AuthzServiceImpl.isAuthorized(ActionType.GetIdentifier)) { + return domDataReadWriteTransaction.getIdentifier(); + } + return null; + } +} diff --git a/odl-aaa-moon/aaa/aaa-authz/aaa-authz-service/src/main/java/org/opendaylight/aaa/authz/srv/AuthzDomDataBroker.java b/odl-aaa-moon/aaa/aaa-authz/aaa-authz-service/src/main/java/org/opendaylight/aaa/authz/srv/AuthzDomDataBroker.java new file mode 100644 index 00000000..911f5a48 --- /dev/null +++ b/odl-aaa-moon/aaa/aaa-authz/aaa-authz-service/src/main/java/org/opendaylight/aaa/authz/srv/AuthzDomDataBroker.java @@ -0,0 +1,100 @@ +/* + * Copyright (c) 2014 Cisco Systems, Inc. and others. All rights reserved. + * + * This program and the accompanying materials are made available under the + * terms of the Eclipse Public License v1.0 which accompanies this distribution, + * and is available at http://www.eclipse.org/legal/epl-v10.html + */ + +package org.opendaylight.aaa.authz.srv; + +import java.util.Map; +import org.opendaylight.aaa.api.AuthenticationService; +import org.opendaylight.controller.md.sal.common.api.data.LogicalDatastoreType; +import org.opendaylight.controller.md.sal.common.api.data.TransactionChainListener; +import org.opendaylight.controller.md.sal.dom.api.DOMDataBroker; +import org.opendaylight.controller.md.sal.dom.api.DOMDataBrokerExtension; +import org.opendaylight.controller.md.sal.dom.api.DOMDataChangeListener; +import org.opendaylight.controller.md.sal.dom.api.DOMDataReadOnlyTransaction; +import org.opendaylight.controller.md.sal.dom.api.DOMDataReadWriteTransaction; +import org.opendaylight.controller.md.sal.dom.api.DOMDataWriteTransaction; +import org.opendaylight.controller.md.sal.dom.api.DOMTransactionChain; +import org.opendaylight.controller.sal.core.api.Broker; +import org.opendaylight.controller.sal.core.api.BrokerService; +import org.opendaylight.yangtools.concepts.ListenerRegistration; +import org.opendaylight.yangtools.yang.data.api.YangInstanceIdentifier; + +/** + * Created by wdec on 26/08/2014. + */ +public class AuthzDomDataBroker implements BrokerService, DOMDataBroker { + + private DOMDataBroker domDataBroker; + private Broker.ProviderSession providerSession; + + private volatile AuthenticationService authService; + + final static AuthzDomDataBroker INSTANCE = new AuthzDomDataBroker(); + + public static AuthzDomDataBroker getInstance() { + return INSTANCE; + } + + public void setDomDataBroker(DOMDataBroker domDataBroker) { + this.domDataBroker = domDataBroker; + } + + public void setProviderSession(Broker.ProviderSession providerSession) { + this.providerSession = providerSession; + } + + public void setAuthService(AuthenticationService authService) { + this.authService = authService; + } + + public AuthenticationService getAuthService() { + return this.authService; + } + + @Override + public DOMDataReadOnlyTransaction newReadOnlyTransaction() { + // new Authz transaction + inject real DOM Transaction + DOMDataReadOnlyTransaction ro = domDataBroker.newReadOnlyTransaction(); + + // return domDataBroker.newReadOnlyTransaction(); //Return original + return new AuthzReadOnlyTransaction(ro); + } + + @Override + public Map<Class<? extends DOMDataBrokerExtension>, DOMDataBrokerExtension> getSupportedExtensions() { + return domDataBroker.getSupportedExtensions(); + } + + @Override + public DOMDataReadWriteTransaction newReadWriteTransaction() { + // return new Authz transaction + inject real DOM Transaction + DOMDataReadWriteTransaction rw = domDataBroker.newReadWriteTransaction(); + return new AuthzDataReadWriteTransaction(rw); + } + + @Override + public DOMDataWriteTransaction newWriteOnlyTransaction() { + DOMDataWriteTransaction wo = domDataBroker.newWriteOnlyTransaction(); + return new AuthzWriteOnlyTransaction(wo); + } + + @Override + public ListenerRegistration<DOMDataChangeListener> registerDataChangeListener( + LogicalDatastoreType logicalDatastoreType, + YangInstanceIdentifier yangInstanceIdentifier, + DOMDataChangeListener domDataChangeListener, DataChangeScope dataChangeScope) { + return domDataBroker.registerDataChangeListener(logicalDatastoreType, + yangInstanceIdentifier, domDataChangeListener, dataChangeScope); + } + + @Override + public DOMTransactionChain createTransactionChain( + TransactionChainListener transactionChainListener) { + return domDataBroker.createTransactionChain(transactionChainListener); + } +} diff --git a/odl-aaa-moon/aaa/aaa-authz/aaa-authz-service/src/main/java/org/opendaylight/aaa/authz/srv/AuthzProviderContextImpl.java b/odl-aaa-moon/aaa/aaa-authz/aaa-authz-service/src/main/java/org/opendaylight/aaa/authz/srv/AuthzProviderContextImpl.java new file mode 100644 index 00000000..dbfea6ed --- /dev/null +++ b/odl-aaa-moon/aaa/aaa-authz/aaa-authz-service/src/main/java/org/opendaylight/aaa/authz/srv/AuthzProviderContextImpl.java @@ -0,0 +1,47 @@ +/* + * Copyright (c) 2014 Cisco Systems, Inc. and others. All rights reserved. + * + * This program and the accompanying materials are made available under the + * terms of the Eclipse Public License v1.0 which accompanies this distribution, + * and is available at http://www.eclipse.org/legal/epl-v10.html + */ + +package org.opendaylight.aaa.authz.srv; + +import org.opendaylight.controller.md.sal.dom.api.DOMDataBroker; +import org.opendaylight.controller.sal.core.api.Broker; +import org.opendaylight.controller.sal.core.api.Broker.ProviderSession; +import org.opendaylight.controller.sal.core.api.BrokerService; +import org.opendaylight.controller.sal.core.spi.ForwardingProviderSession; + +/** + * Created by wdec on 28/08/2014. + */ +public class AuthzProviderContextImpl extends ForwardingProviderSession { + + private final Broker.ProviderSession realSession; + + public AuthzProviderContextImpl(Broker.ProviderSession providerSession, + AuthzBrokerImpl authzBroker) { + this.realSession = providerSession; + } + + @Override + protected ProviderSession delegate() { + // TODO Auto-generated method stub + return realSession; + } + + @Override + public <T extends BrokerService> T getService(Class<T> tClass) { + T t; + // Check for class and return Authz broker only for DOMBroker + if (tClass == DOMDataBroker.class) { + t = (T) AuthzDomDataBroker.getInstance(); + } else { + t = realSession.getService(tClass); + } + // AuthzDomDataBroker.getInstance().setDomDataBroker((DOMDataBroker)t); + return t; + } +} diff --git a/odl-aaa-moon/aaa/aaa-authz/aaa-authz-service/src/main/java/org/opendaylight/aaa/authz/srv/AuthzReadOnlyTransaction.java b/odl-aaa-moon/aaa/aaa-authz/aaa-authz-service/src/main/java/org/opendaylight/aaa/authz/srv/AuthzReadOnlyTransaction.java new file mode 100644 index 00000000..c46ffe7c --- /dev/null +++ b/odl-aaa-moon/aaa/aaa-authz/aaa-authz-service/src/main/java/org/opendaylight/aaa/authz/srv/AuthzReadOnlyTransaction.java @@ -0,0 +1,69 @@ +/* + * Copyright (c) 2014 Cisco Systems, Inc. and others. All rights reserved. + * + * This program and the accompanying materials are made available under the + * terms of the Eclipse Public License v1.0 which accompanies this distribution, + * and is available at http://www.eclipse.org/legal/epl-v10.html + */ + +package org.opendaylight.aaa.authz.srv; + +import com.google.common.base.Optional; +import com.google.common.util.concurrent.CheckedFuture; +import com.google.common.util.concurrent.Futures; + +import org.opendaylight.controller.md.sal.common.api.data.LogicalDatastoreType; +import org.opendaylight.controller.md.sal.common.api.data.ReadFailedException; +import org.opendaylight.controller.md.sal.dom.api.DOMDataReadOnlyTransaction; +import org.opendaylight.yang.gen.v1.urn.aaa.yang.authz.ds.rev140722.ActionType; +import org.opendaylight.yangtools.yang.data.api.YangInstanceIdentifier; +import org.opendaylight.yangtools.yang.data.api.schema.NormalizedNode; + +/** + * Created by wdec on 28/08/2014. + */ + +public class AuthzReadOnlyTransaction implements DOMDataReadOnlyTransaction { + + private final DOMDataReadOnlyTransaction ro; + + public AuthzReadOnlyTransaction(DOMDataReadOnlyTransaction ro) { + this.ro = ro; + } + + @Override + public void close() { + ro.close(); + } + + @Override + public CheckedFuture<Optional<NormalizedNode<?, ?>>, ReadFailedException> read( + LogicalDatastoreType logicalDatastoreType, YangInstanceIdentifier yangInstanceIdentifier) { + + if (AuthzServiceImpl.isAuthorized(logicalDatastoreType, yangInstanceIdentifier, + ActionType.Read)) { + return ro.read(logicalDatastoreType, yangInstanceIdentifier); + } + ReadFailedException e = new ReadFailedException("Authorization Failed"); + return Futures.immediateFailedCheckedFuture(e); + } + + @Override + public CheckedFuture<Boolean, ReadFailedException> exists( + LogicalDatastoreType logicalDatastoreType, YangInstanceIdentifier yangInstanceIdentifier) { + + if (AuthzServiceImpl.isAuthorized(ActionType.Exists)) { + return ro.exists(logicalDatastoreType, yangInstanceIdentifier); + } + ReadFailedException e = new ReadFailedException("Authorization Failed"); + return Futures.immediateFailedCheckedFuture(e); + } + + @Override + public Object getIdentifier() { + if (AuthzServiceImpl.isAuthorized(ActionType.GetIdentifier)) { + return ro.getIdentifier(); + } + return null; + } +} diff --git a/odl-aaa-moon/aaa/aaa-authz/aaa-authz-service/src/main/java/org/opendaylight/aaa/authz/srv/AuthzServiceImpl.java b/odl-aaa-moon/aaa/aaa-authz/aaa-authz-service/src/main/java/org/opendaylight/aaa/authz/srv/AuthzServiceImpl.java new file mode 100644 index 00000000..fb344812 --- /dev/null +++ b/odl-aaa-moon/aaa/aaa-authz/aaa-authz-service/src/main/java/org/opendaylight/aaa/authz/srv/AuthzServiceImpl.java @@ -0,0 +1,121 @@ +/* + * Copyright (c) 2014 Cisco Systems, Inc. and others. All rights reserved. + * + * This program and the accompanying materials are made available under the + * terms of the Eclipse Public License v1.0 which accompanies this distribution, + * and is available at http://www.eclipse.org/legal/epl-v10.html + */ + +package org.opendaylight.aaa.authz.srv; + +import java.util.List; +import org.opendaylight.aaa.api.Authentication; +import org.opendaylight.aaa.api.AuthenticationService; +import org.opendaylight.controller.config.yang.config.aaa_authz.srv.Policies; +import org.opendaylight.controller.md.sal.common.api.data.LogicalDatastoreType; +import org.opendaylight.yang.gen.v1.urn.aaa.yang.authz.ds.rev140722.ActionType; +import org.opendaylight.yang.gen.v1.urn.aaa.yang.authz.ds.rev140722.AuthorizationResponseType; +import org.opendaylight.yangtools.yang.data.api.YangInstanceIdentifier; + +/** + * @author lmukkama Date: 9/2/14 + */ +public class AuthzServiceImpl { + + private static List<Policies> listPolicies; + + private static final String WILDCARD_TOKEN = "*"; + + public static boolean isAuthorized(LogicalDatastoreType logicalDatastoreType, + YangInstanceIdentifier yangInstanceIdentifier, ActionType actionType) { + + AuthorizationResponseType authorizationResponseType = AuthzServiceImpl.reqAuthorization( + actionType, logicalDatastoreType, yangInstanceIdentifier); + return authorizationResponseType.equals(AuthorizationResponseType.Authorized); + } + + public static boolean isAuthorized(ActionType actionType) { + AuthorizationResponseType authorizationResponseType = AuthzServiceImpl + .reqAuthorization(actionType); + return authorizationResponseType.equals(AuthorizationResponseType.Authorized); + } + + public static void setPolicies(List<Policies> policies) { + + AuthzServiceImpl.listPolicies = policies; + } + + public static AuthorizationResponseType reqAuthorization(ActionType actionType) { + + AuthenticationService authenticationService = AuthzDomDataBroker.getInstance() + .getAuthService(); + if (authenticationService != null && AuthzServiceImpl.listPolicies != null + && AuthzServiceImpl.listPolicies.size() > 0) { + Authentication authentication = authenticationService.get(); + if (authentication != null && authentication.roles() != null + && authentication.roles().size() > 0) { + return checkAuthorization(actionType, authentication); + } + } + return AuthorizationResponseType.NotAuthorized; + } + + public static AuthorizationResponseType reqAuthorization(ActionType actionType, + LogicalDatastoreType logicalDatastoreType, YangInstanceIdentifier yangInstanceIdentifier) { + + AuthenticationService authenticationService = AuthzDomDataBroker.getInstance() + .getAuthService(); + + if (authenticationService != null && AuthzServiceImpl.listPolicies != null + && AuthzServiceImpl.listPolicies.size() > 0) { + // Authentication Service exists. Can do authorization checks + Authentication authentication = authenticationService.get(); + + if (authentication != null && authentication.roles() != null + && authentication.roles().size() > 0) { + // Authentication claim object exists with atleast one role + return checkAuthorization(actionType, authentication, logicalDatastoreType, + yangInstanceIdentifier); + } + } + + return AuthorizationResponseType.Authorized; + } + + private static AuthorizationResponseType checkAuthorization(ActionType actionType, + Authentication authentication, LogicalDatastoreType logicalDatastoreType, + YangInstanceIdentifier yangInstanceIdentifier) { + + for (Policies policy : AuthzServiceImpl.listPolicies) { + + // Action type is compared as string, since its type is string in + // the config yang. Comparison is case insensitive + if (authentication.roles().contains(policy.getRole().getValue()) + && (policy.getResource().getValue().equals(WILDCARD_TOKEN) || policy + .getResource().getValue().equals(yangInstanceIdentifier.toString())) + && (policy.getAction().toLowerCase() + .equals(ActionType.Any.name().toLowerCase()) || actionType.name() + .toLowerCase().equals(policy.getAction().toLowerCase()))) { + + return AuthorizationResponseType.Authorized; + } + + } + + // For helium release we unauthorize other requests. + return AuthorizationResponseType.NotAuthorized; + } + + private static AuthorizationResponseType checkAuthorization(ActionType actionType, + Authentication authentication) { + + for (Policies policy : AuthzServiceImpl.listPolicies) { + if (authentication.roles().contains(policy.getRole().getValue()) + && (policy.getAction().equalsIgnoreCase(ActionType.Any.name()) || policy + .getAction().equalsIgnoreCase(actionType.name()))) { + return AuthorizationResponseType.Authorized; + } + } + return AuthorizationResponseType.NotAuthorized; + } +} diff --git a/odl-aaa-moon/aaa/aaa-authz/aaa-authz-service/src/main/java/org/opendaylight/aaa/authz/srv/AuthzWriteOnlyTransaction.java b/odl-aaa-moon/aaa/aaa-authz/aaa-authz-service/src/main/java/org/opendaylight/aaa/authz/srv/AuthzWriteOnlyTransaction.java new file mode 100644 index 00000000..1123b928 --- /dev/null +++ b/odl-aaa-moon/aaa/aaa-authz/aaa-authz-service/src/main/java/org/opendaylight/aaa/authz/srv/AuthzWriteOnlyTransaction.java @@ -0,0 +1,103 @@ +/* + * Copyright (c) 2014 Cisco Systems, Inc. and others. All rights reserved. + * + * This program and the accompanying materials are made available under the + * terms of the Eclipse Public License v1.0 which accompanies this distribution, + * and is available at http://www.eclipse.org/legal/epl-v10.html + */ + +package org.opendaylight.aaa.authz.srv; + +import com.google.common.util.concurrent.CheckedFuture; +import com.google.common.util.concurrent.Futures; +import com.google.common.util.concurrent.ListenableFuture; + +import org.opendaylight.controller.md.sal.common.api.TransactionStatus; +import org.opendaylight.controller.md.sal.common.api.data.LogicalDatastoreType; +import org.opendaylight.controller.md.sal.common.api.data.TransactionCommitFailedException; +import org.opendaylight.controller.md.sal.dom.api.DOMDataWriteTransaction; +import org.opendaylight.yang.gen.v1.urn.aaa.yang.authz.ds.rev140722.ActionType; +import org.opendaylight.yangtools.yang.common.RpcResult; +import org.opendaylight.yangtools.yang.data.api.YangInstanceIdentifier; +import org.opendaylight.yangtools.yang.data.api.schema.NormalizedNode; + +/** + * Created by wdec on 02/09/2014. + */ +public class AuthzWriteOnlyTransaction implements DOMDataWriteTransaction { + + private final DOMDataWriteTransaction domDataWriteTransaction; + + public AuthzWriteOnlyTransaction(DOMDataWriteTransaction wo) { + this.domDataWriteTransaction = wo; + } + + @Override + public void put(LogicalDatastoreType logicalDatastoreType, + YangInstanceIdentifier yangInstanceIdentifier, NormalizedNode<?, ?> normalizedNode) { + + if (AuthzServiceImpl.isAuthorized(logicalDatastoreType, yangInstanceIdentifier, + ActionType.Put)) { + domDataWriteTransaction.put(logicalDatastoreType, yangInstanceIdentifier, + normalizedNode); + } + } + + @Override + public void merge(LogicalDatastoreType logicalDatastoreType, + YangInstanceIdentifier yangInstanceIdentifier, NormalizedNode<?, ?> normalizedNode) { + + if (AuthzServiceImpl.isAuthorized(logicalDatastoreType, yangInstanceIdentifier, + ActionType.Merge)) { + domDataWriteTransaction.merge(logicalDatastoreType, yangInstanceIdentifier, + normalizedNode); + } + } + + @Override + public boolean cancel() { + if (AuthzServiceImpl.isAuthorized(ActionType.Cancel)) { + return domDataWriteTransaction.cancel(); + } + return false; + } + + @Override + public void delete(LogicalDatastoreType logicalDatastoreType, + YangInstanceIdentifier yangInstanceIdentifier) { + + if (AuthzServiceImpl.isAuthorized(logicalDatastoreType, yangInstanceIdentifier, + ActionType.Delete)) { + domDataWriteTransaction.delete(logicalDatastoreType, yangInstanceIdentifier); + } + } + + @Override + public CheckedFuture<Void, TransactionCommitFailedException> submit() { + if (AuthzServiceImpl.isAuthorized(ActionType.Submit)) { + return domDataWriteTransaction.submit(); + } + TransactionCommitFailedException e = new TransactionCommitFailedException( + "Unauthorized User"); + return Futures.immediateFailedCheckedFuture(e); + } + + @Deprecated + @Override + public ListenableFuture<RpcResult<TransactionStatus>> commit() { + if (AuthzServiceImpl.isAuthorized(ActionType.Commit)) { + return domDataWriteTransaction.commit(); + } + TransactionCommitFailedException e = new TransactionCommitFailedException( + "Unauthorized User"); + return Futures.immediateFailedCheckedFuture(e); + } + + @Override + public Object getIdentifier() { + if (AuthzServiceImpl.isAuthorized(ActionType.GetIdentifier)) { + return domDataWriteTransaction.getIdentifier(); + } + return null; + } +} diff --git a/odl-aaa-moon/aaa/aaa-authz/aaa-authz-service/src/main/java/org/opendaylight/controller/config/yang/config/aaa_authz/srv/AuthzSrvModule.java b/odl-aaa-moon/aaa/aaa-authz/aaa-authz-service/src/main/java/org/opendaylight/controller/config/yang/config/aaa_authz/srv/AuthzSrvModule.java new file mode 100644 index 00000000..a590b982 --- /dev/null +++ b/odl-aaa-moon/aaa/aaa-authz/aaa-authz-service/src/main/java/org/opendaylight/controller/config/yang/config/aaa_authz/srv/AuthzSrvModule.java @@ -0,0 +1,76 @@ +/* + * Copyright (c) 2014 Cisco Systems, Inc. and others. All rights reserved. + * + * This program and the accompanying materials are made available under the + * terms of the Eclipse Public License v1.0 which accompanies this distribution, + * and is available at http://www.eclipse.org/legal/epl-v10.html + */ + +package org.opendaylight.controller.config.yang.config.aaa_authz.srv; + +import org.opendaylight.aaa.api.AuthenticationService; +import org.opendaylight.aaa.authz.srv.AuthzBrokerImpl; +import org.opendaylight.aaa.authz.srv.AuthzServiceImpl; +import org.osgi.framework.BundleContext; +import org.osgi.framework.ServiceReference; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; + +public class AuthzSrvModule extends + org.opendaylight.controller.config.yang.config.aaa_authz.srv.AbstractAuthzSrvModule { + private static final Logger LOG = LoggerFactory.getLogger(AuthzSrvModule.class); + private static boolean simple_config_switch; + private BundleContext bundleContext; + + public AuthzSrvModule(org.opendaylight.controller.config.api.ModuleIdentifier identifier, + org.opendaylight.controller.config.api.DependencyResolver dependencyResolver) { + super(identifier, dependencyResolver); + } + + public AuthzSrvModule(org.opendaylight.controller.config.api.ModuleIdentifier identifier, + org.opendaylight.controller.config.api.DependencyResolver dependencyResolver, + org.opendaylight.controller.config.yang.config.aaa_authz.srv.AuthzSrvModule oldModule, + java.lang.AutoCloseable oldInstance) { + super(identifier, dependencyResolver, oldModule, oldInstance); + } + + @Override + public void customValidation() { + // checkNotNull(getDomBroker(), domBrokerJmxAttribute); + } + + @Override + public java.lang.AutoCloseable createInstance() { + + // Get new AuthZ Broker + final AuthzBrokerImpl authzBrokerImpl = new AuthzBrokerImpl(); + + // Provide real broker to the new Authz broker + authzBrokerImpl.setBroker(getDomBrokerDependency()); + + // Get AuthN service reference and register it with the authzBroker + ServiceReference<AuthenticationService> authServiceReference = bundleContext + .getServiceReference(AuthenticationService.class); + AuthenticationService as = bundleContext.getService(authServiceReference); + authzBrokerImpl.setAuthenticationService(as); + + // Set the policies list to authz serviceimpl + AuthzServiceImpl.setPolicies(getPolicies()); + + // Register AuthZ broker with the real Broker as a provider; triggers + // "onSessionInitiated" in AuthzBrokerImpl + getDomBrokerDependency().registerProvider(authzBrokerImpl); + // TODO ActionType is of type string, not ENUM due to improper + // serialization of ENUMs by config/netconf subsystem. This needs to be + // fixed as soon as config/netconf fixes the problem. + getAction(); + + LOG.info("AuthZ Service Initialized from Config subsystem"); + return authzBrokerImpl; + + } + + public void setBundleContext(BundleContext bundleContext) { + this.bundleContext = bundleContext; + } +} diff --git a/odl-aaa-moon/aaa/aaa-authz/aaa-authz-service/src/main/java/org/opendaylight/controller/config/yang/config/aaa_authz/srv/AuthzSrvModuleFactory.java b/odl-aaa-moon/aaa/aaa-authz/aaa-authz-service/src/main/java/org/opendaylight/controller/config/yang/config/aaa_authz/srv/AuthzSrvModuleFactory.java new file mode 100644 index 00000000..3ff67f54 --- /dev/null +++ b/odl-aaa-moon/aaa/aaa-authz/aaa-authz-service/src/main/java/org/opendaylight/controller/config/yang/config/aaa_authz/srv/AuthzSrvModuleFactory.java @@ -0,0 +1,53 @@ +/* + * Copyright (c) 2014 Cisco Systems, Inc. and others. All rights reserved. + * + * This program and the accompanying materials are made available under the + * terms of the Eclipse Public License v1.0 which accompanies this distribution, + * and is available at http://www.eclipse.org/legal/epl-v10.html + */ + +/* + * Generated file + * + * Generated from: yang module name: aaa-authz-service-impl yang module local name: aaa-authz-service + * Generated by: org.opendaylight.controller.config.yangjmxgenerator.plugin.JMXGenerator + * Generated at: Thu Jul 24 11:19:40 CEST 2014 + * + * Do not modify this file unless it is present under src/main directory + */ +package org.opendaylight.controller.config.yang.config.aaa_authz.srv; + +import org.opendaylight.controller.config.api.DependencyResolver; +import org.opendaylight.controller.config.api.DynamicMBeanWithInstance; +import org.opendaylight.controller.config.spi.Module; +import org.osgi.framework.BundleContext; + +public class AuthzSrvModuleFactory extends + org.opendaylight.controller.config.yang.config.aaa_authz.srv.AbstractAuthzSrvModuleFactory { + + @Override + public org.opendaylight.controller.config.spi.Module createModule(String instanceName, + org.opendaylight.controller.config.api.DependencyResolver dependencyResolver, + org.osgi.framework.BundleContext bundleContext) { + + final AuthzSrvModule module = (AuthzSrvModule) super.createModule(instanceName, + dependencyResolver, bundleContext); + + module.setBundleContext(bundleContext); + + return module; + + } + + @Override + public Module createModule(final String instanceName, + final DependencyResolver dependencyResolver, final DynamicMBeanWithInstance old, + final BundleContext bundleContext) throws Exception { + final AuthzSrvModule module = (AuthzSrvModule) super.createModule(instanceName, + dependencyResolver, old, bundleContext); + + module.setBundleContext(bundleContext); + + return module; + } +} diff --git a/odl-aaa-moon/aaa/aaa-authz/aaa-authz-service/src/main/yang/aaa-authz-service-impl.yang b/odl-aaa-moon/aaa/aaa-authz/aaa-authz-service/src/main/yang/aaa-authz-service-impl.yang new file mode 100644 index 00000000..954d0480 --- /dev/null +++ b/odl-aaa-moon/aaa/aaa-authz/aaa-authz-service/src/main/yang/aaa-authz-service-impl.yang @@ -0,0 +1,115 @@ +module aaa-authz-service-impl { + + yang-version 1; + namespace "urn:opendaylight:params:xml:ns:yang:controller:config:aaa-authz:srv"; + prefix "aaa-authz-srv-impl"; + + import config { prefix config; revision-date 2013-04-05; } + import rpc-context { prefix rpcx; revision-date 2013-06-17; } + import opendaylight-md-sal-binding { prefix mdsal; revision-date 2013-10-28; } + import opendaylight-md-sal-dom {prefix dom;} + import authorization-schema { prefix authzs; revision-date 2014-07-22; } + import ietf-inet-types {prefix inet; revision-date 2010-09-24;} + + description + "This module contains the base YANG definitions for + AuthZ implementation."; + + revision "2014-07-01" { + description + "Initial revision."; + } + + + // This is the definition of the service implementation as a module identity. + identity aaa-authz-service { + base config:module-type; + // Specifies the prefix for generated java classes. + config:java-name-prefix AuthzSrv; + config:provided-service dom:dom-broker-osgi-registry; + } + + // Augments the 'configuration' choice node under modules/module. + + augment "/config:modules/config:module/config:configuration" { + case aaa-authz-service { + when "/config:modules/config:module/config:type = 'aaa-authz-service'"; + +//Defines reference to the intended broker under the AuthZ broker + + container dom-broker { + uses config:service-ref { + refine type { + mandatory true; + config:required-identity dom:dom-broker-osgi-registry; + } + } + } + + container data-broker { + uses config:service-ref { + refine type { + mandatory true; + config:required-identity mdsal:binding-data-broker; + + } + } + } + +//Simple Authz data leafs: + + leaf authz-role { + type string; + } + leaf service { + type authzs:service-type; + } + + // ENUMs cannot be used right now (config subsystem + netconf cannot properly serialize enums), using strings instead + // In the generated module use Enum.valueOf from that string. + // Expected values are following strnigs: create, read, update, delete, execute, subscribe, any; + leaf action { + type string; + description "String representation of enum authzs:action-type expecting following values create, read, update, delete, execute, subscribe, any"; + //type authzs:action-type; + + } + leaf resource { + type authzs:resource-type; + + } + leaf role { + type authzs:role-type; + } + + + + //TODO: Check why uses below doesn't make the outer list be part of the source name-space in yang code generator. + //uses authzs:authorization-grp; + list policies { + key "service"; + leaf service { + type authzs:service-type; + } + // Grouping uses ENUMs and enums are not correctly serialized in Config + Netconf + // Same as with action one level ip + leaf action { + type string; + description "String representation of enum authzs:action-type expecting following values create, read, update, delete, execute, subscribe, any"; + //type authzs:action-type; + } + leaf resource { + type authzs:resource-type; + + } + leaf role { + type authzs:role-type; + + } + } + + + } + } + +} diff --git a/odl-aaa-moon/aaa/aaa-authz/aaa-authz-service/src/test/java/org/opendaylight/aaa/authz/srv/AuthzConsumerContextImplTest.java b/odl-aaa-moon/aaa/aaa-authz/aaa-authz-service/src/test/java/org/opendaylight/aaa/authz/srv/AuthzConsumerContextImplTest.java new file mode 100644 index 00000000..fb033341 --- /dev/null +++ b/odl-aaa-moon/aaa/aaa-authz/aaa-authz-service/src/test/java/org/opendaylight/aaa/authz/srv/AuthzConsumerContextImplTest.java @@ -0,0 +1,46 @@ +/* + * Copyright (c) 2014 Cisco Systems, Inc. and others. All rights reserved. + * + * This program and the accompanying materials are made available under the + * terms of the Eclipse Public License v1.0 which accompanies this distribution, + * and is available at http://www.eclipse.org/legal/epl-v10.html + */ + +package org.opendaylight.aaa.authz.srv; + +import org.junit.Assert; +import org.junit.Before; +import org.mockito.Mockito; +import org.opendaylight.controller.md.sal.dom.api.DOMDataBroker; +import org.opendaylight.controller.sal.core.api.Broker; +import org.opendaylight.controller.sal.core.api.Provider; + +public class AuthzConsumerContextImplTest { + + private Broker.ConsumerSession realconsumercontext; + private Provider realprovidercontext; + private AuthzBrokerImpl authzBroker; + private Broker realbroker; + + @Before + public void beforeTest() { + realconsumercontext = Mockito.mock(Broker.ConsumerSession.class); + realprovidercontext = Mockito.mock(Provider.class); + realbroker = Mockito.mock(Broker.class); + realbroker.registerProvider(realprovidercontext); + authzBroker = Mockito.mock(AuthzBrokerImpl.class); + } + + @org.junit.Test + public void testGetService() throws Exception { + AuthzConsumerContextImpl authzConsumerContext = new AuthzConsumerContextImpl( + realconsumercontext, authzBroker); + + Assert.assertEquals("Expected Authz session context", + authzConsumerContext.getService(DOMDataBroker.class).getClass(), + AuthzDomDataBroker.class); + // Assert.assertEquals("Expected Authz session context", + // authzConsumerContext.getService(SchemaService.class).getClass(), + // SchemaService.class); + } +}
\ No newline at end of file diff --git a/odl-aaa-moon/aaa/aaa-authz/pom.xml b/odl-aaa-moon/aaa/aaa-authz/pom.xml new file mode 100644 index 00000000..a5e37680 --- /dev/null +++ b/odl-aaa-moon/aaa/aaa-authz/pom.xml @@ -0,0 +1,23 @@ +<?xml version="1.0" encoding="UTF-8"?> +<project xmlns="http://maven.apache.org/POM/4.0.0" + xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" + xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd"> + <modelVersion>4.0.0</modelVersion> + <parent> + <groupId>org.opendaylight.aaa</groupId> + <artifactId>aaa-parent</artifactId> + <version>0.3.2-Beryllium-SR2</version> + <relativePath>../parent</relativePath> + </parent> + + <artifactId>aaa-authz</artifactId> + <name>${project.artifactId}</name> + <packaging>pom</packaging> + + <modules> + <module>aaa-authz-model</module> + <module>aaa-authz-service</module> + <module>aaa-authz-config</module> + <module>aaa-authz-restconf-config</module> + </modules> +</project> |